This test extends the existing tests with IPv6 support. Note that we need to set IPV6_RECVERR on the socket for IPv6 in connect_to_fd_nonblock otherwise the error will be ignored even if we are in the middle of the TCP handshake. See in net/ipv6/datagram.c:ipv6_icmp_error for more details. Signed-off-by: Mahe Tardy --- .../bpf/prog_tests/icmp_send_kfunc.c | 76 +++++++++++++------ tools/testing/selftests/bpf/progs/icmp_send.c | 48 +++++++++--- 2 files changed, 90 insertions(+), 34 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c index b98c0312adad..d9badfc6e620 100644 --- a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c +++ b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c @@ -8,15 +8,17 @@ #define TIMEOUT_MS 1000 #define ICMP_DEST_UNREACH 3 +#define ICMPV6_DEST_UNREACH 1 #define ICMP_FRAG_NEEDED 4 #define NR_ICMP_UNREACH 15 +#define ICMPV6_REJECT_ROUTE 6 static int connect_to_fd_nonblock(int server_fd) { struct sockaddr_storage addr; socklen_t len = sizeof(addr); - int fd, err; + int fd, err, on = 1; if (getsockname(server_fd, (struct sockaddr *)&addr, &len)) return -1; @@ -25,6 +27,12 @@ static int connect_to_fd_nonblock(int server_fd) if (fd < 0) return -1; + if (addr.ss_family == AF_INET6 && + setsockopt(fd, IPPROTO_IPV6, IPV6_RECVERR, &on, sizeof(on)) < 0) { + close(fd); + return -1; + } + err = connect(fd, (struct sockaddr *)&addr, len); if (err < 0 && errno != EINPROGRESS) { close(fd); @@ -34,7 +42,7 @@ static int connect_to_fd_nonblock(int server_fd) return fd; } -static void read_icmp_errqueue(int sockfd, int expected_code) +static void read_icmp_errqueue(int sockfd, int expected_code, int af) { ssize_t n; struct sock_extended_err *sock_err; @@ -44,6 +52,12 @@ static void read_icmp_errqueue(int sockfd, int expected_code) .msg_control = ctrl_buf, .msg_controllen = sizeof(ctrl_buf), }; + int expected_level = (af == AF_INET) ? IPPROTO_IP : IPPROTO_IPV6; + int expected_type = (af == AF_INET) ? IP_RECVERR : IPV6_RECVERR; + int expected_origin = (af == AF_INET) ? SO_EE_ORIGIN_ICMP : + SO_EE_ORIGIN_ICMP6; + int expected_ee_type = (af == AF_INET) ? ICMP_DEST_UNREACH : + ICMPV6_DEST_UNREACH; struct pollfd pfd = { .fd = sockfd, .events = POLLERR, @@ -61,16 +75,16 @@ static void read_icmp_errqueue(int sockfd, int expected_code) return; for (; cm; cm = CMSG_NXTHDR(&msg, cm)) { - if (cm->cmsg_level != IPPROTO_IP || - cm->cmsg_type != IP_RECVERR) + if (cm->cmsg_level != expected_level || + cm->cmsg_type != expected_type) continue; sock_err = (struct sock_extended_err *)CMSG_DATA(cm); - if (!ASSERT_EQ(sock_err->ee_origin, SO_EE_ORIGIN_ICMP, - "sock_err_origin_icmp")) + if (!ASSERT_EQ(sock_err->ee_origin, expected_origin, + "sock_err_origin")) return; - if (!ASSERT_EQ(sock_err->ee_type, ICMP_DEST_UNREACH, + if (!ASSERT_EQ(sock_err->ee_type, expected_ee_type, "sock_err_type_dest_unreach")) return; ASSERT_EQ(sock_err->ee_code, expected_code, "sock_err_code"); @@ -78,14 +92,13 @@ static void read_icmp_errqueue(int sockfd, int expected_code) } static void trigger_prog_read_icmp_errqueue(struct icmp_send *skel, - int code) + int code, int af, const char *ip) { int srv_fd = -1, client_fd = -1; struct sockaddr_in addr; socklen_t len = sizeof(addr); - srv_fd = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, - TIMEOUT_MS); + srv_fd = start_server(af, SOCK_STREAM, ip, 0, TIMEOUT_MS); if (!ASSERT_GE(srv_fd, 0, "start_server")) return; @@ -94,6 +107,8 @@ static void trigger_prog_read_icmp_errqueue(struct icmp_send *skel, return; } skel->bss->server_port = ntohs(addr.sin_port); + skel->bss->unreach_type = (af == AF_INET) ? ICMP_DEST_UNREACH : + ICMPV6_DEST_UNREACH; skel->bss->unreach_code = code; client_fd = connect_to_fd_nonblock(srv_fd); @@ -103,13 +118,33 @@ static void trigger_prog_read_icmp_errqueue(struct icmp_send *skel, } /* Skip reading ICMP error queue if code is invalid */ - if (code >= 0 && code <= NR_ICMP_UNREACH) - read_icmp_errqueue(client_fd, code); + if (code >= 0 && ((af == AF_INET && code <= NR_ICMP_UNREACH) || + (af == AF_INET6 && code <= ICMPV6_REJECT_ROUTE))) + read_icmp_errqueue(client_fd, code, af); close(client_fd); close(srv_fd); } +static void run_icmp_test(struct icmp_send *skel, int af, + const char *ip, int max_code) +{ + for (int code = 0; code <= max_code; code++) { + /* The TCP stack reacts differently when asking for + * fragmentation, let's ignore it for now. + */ + if (af == AF_INET && code == ICMP_FRAG_NEEDED) + continue; + + trigger_prog_read_icmp_errqueue(skel, code, af, ip); + ASSERT_EQ(skel->data->kfunc_ret, 0, "kfunc_ret"); + } + + /* Test an invalid code */ + trigger_prog_read_icmp_errqueue(skel, -1, af, ip); + ASSERT_EQ(skel->data->kfunc_ret, -EINVAL, "kfunc_ret"); +} + void test_icmp_send_unreach(void) { struct icmp_send *skel; @@ -128,20 +163,11 @@ void test_icmp_send_unreach(void) if (!ASSERT_OK_PTR(skel->links.egress, "prog_attach_cgroup")) goto cleanup; - for (int code = 0; code <= NR_ICMP_UNREACH; code++) { - /* The TCP stack reacts differently when asking for - * fragmentation, let's ignore it for now. - */ - if (code == ICMP_FRAG_NEEDED) - continue; - - trigger_prog_read_icmp_errqueue(skel, code); - ASSERT_EQ(skel->data->kfunc_ret, 0, "kfunc_ret"); - } + if (test__start_subtest("ipv4")) + run_icmp_test(skel, AF_INET, "127.0.0.1", NR_ICMP_UNREACH); - /* Test an invalid code */ - trigger_prog_read_icmp_errqueue(skel, -1); - ASSERT_EQ(skel->data->kfunc_ret, -EINVAL, "kfunc_ret"); + if (test__start_subtest("ipv6")) + run_icmp_test(skel, AF_INET6, "::1", ICMPV6_REJECT_ROUTE); cleanup: icmp_send__destroy(skel); diff --git a/tools/testing/selftests/bpf/progs/icmp_send.c b/tools/testing/selftests/bpf/progs/icmp_send.c index 6d0be0a9afe1..6e1ba539eeb0 100644 --- a/tools/testing/selftests/bpf/progs/icmp_send.c +++ b/tools/testing/selftests/bpf/progs/icmp_send.c @@ -5,10 +5,11 @@ /* 127.0.0.1 in host byte order */ #define SERVER_IP 0x7F000001 - -#define ICMP_DEST_UNREACH 3 +/* ::1 in host byte order (last 32-bit word) */ +#define SERVER_IP6_LO 0x00000001 __u16 server_port = 0; +int unreach_type = 0; int unreach_code = 0; int kfunc_ret = -1; @@ -18,19 +19,48 @@ int egress(struct __sk_buff *skb) void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; struct iphdr *iph; + struct ipv6hdr *ip6h; struct tcphdr *tcph; + __u8 version; - iph = data; - if ((void *)(iph + 1) > data_end || iph->version != 4 || - iph->protocol != IPPROTO_TCP || iph->daddr != bpf_htonl(SERVER_IP)) + if (data + 1 > data_end) return SK_PASS; - tcph = (void *)iph + iph->ihl * 4; - if ((void *)(tcph + 1) > data_end || - tcph->dest != bpf_htons(server_port)) + version = (*((__u8 *)data)) >> 4; + + if (version == 4) { + iph = data; + if ((void *)(iph + 1) > data_end || + iph->protocol != IPPROTO_TCP || + iph->daddr != bpf_htonl(SERVER_IP)) + return SK_PASS; + + tcph = (void *)iph + iph->ihl * 4; + if ((void *)(tcph + 1) > data_end || + tcph->dest != bpf_htons(server_port)) + return SK_PASS; + + } else if (version == 6) { + ip6h = data; + if ((void *)(ip6h + 1) > data_end || + ip6h->nexthdr != IPPROTO_TCP) + return SK_PASS; + + if (ip6h->daddr.in6_u.u6_addr32[0] != 0 || + ip6h->daddr.in6_u.u6_addr32[1] != 0 || + ip6h->daddr.in6_u.u6_addr32[2] != 0 || + ip6h->daddr.in6_u.u6_addr32[3] != bpf_htonl(SERVER_IP6_LO)) + return SK_PASS; + + tcph = (void *)(ip6h + 1); + if ((void *)(tcph + 1) > data_end || + tcph->dest != bpf_htons(server_port)) + return SK_PASS; + } else { return SK_PASS; + } - kfunc_ret = bpf_icmp_send(skb, ICMP_DEST_UNREACH, unreach_code); + kfunc_ret = bpf_icmp_send(skb, unreach_type, unreach_code); return SK_DROP; } -- 2.34.1